How many sections are on the CPA exam?

The CPA exam has 4 required sections: 3 core sections (FAR — Financial Accounting, AUD — Auditing, REG — Regulation) and 1 discipline section of your choice (BAR, ISC, or TCP).

What is the passing score for the CPA exam?

A score of 75 (on a scale of 0–99) is required to pass each CPA exam section.

How long do I have to pass all CPA exam sections?

Candidates have 30 months from the date they pass their first section to pass all remaining sections.

How many questions are in each CPA exam section?

Each section contains approximately 72–78 multiple choice questions plus task-based simulations (TBS). The exact number varies by section.

CPA ISC Practice Exam 3 — Free 82-Question CPA Practice Test

Q01A CPA is advising a client who is migrating their legacy on-premise ERP system to a cloud-based solution. The client ...Medium

Q02During a review of a client's cloud governance structure, an auditor notes that the client uses a public cloud provid...Medium

Q03An auditor is evaluating the 'Processing Integrity' principle for a financial institution's loan origination system. ...Hard

Q04A company uses a batch processing system to update inventory records overnight. The 'Grandfather-Father-Son' backup r...Hard

Q05During a walkthrough of the change management process, an auditor observes that the 'Developer' role in the ERP syste...Medium

Q06An auditor is reviewing a SQL query used to extract 'Active Customers' for a marketing report. The query is:<br/><br/...Hard

Q07A healthcare provider stores patient records in a data warehouse. To comply with HIPAA while allowing data analysts t...Medium

Q08Under the General Data Protection Regulation (GDPR), a data subject requests that a company transmit their personal d...Medium

Q09A service organization is undergoing a SOC 2® Type II engagement. The auditor finds that for a sample of 25 new hires...Hard

Q10Which of the following scenarios BEST describes a 'Carve-out' method in a SOC 2® report involving a subservice organi...Medium

Q11An IT auditor is reviewing the 'Recovery Point Objective' (RPO) for a critical transaction database. Management has s...Medium

Q12Which of the following NIST Cybersecurity Framework (CSF) functions is PRIMARILY associated with the implementation o...Medium

Q13A retailer processes credit card transactions. They have segmented their network so that the Cardholder Data Environm...Medium

Q14An organization uses a 'Defense in Depth' strategy. Which of the following represents a correct layering of controls ...Medium

Q15A CPA is performing a SOC 2® engagement. The service organization uses a third-party data center for physical hosting...Easy

Q16Which of the following is a 'Complementary User Entity Control' (CUEC) likely to be found in a payroll service provid...Medium

Q17In the context of COBIT 2019, which of the following best describes the distinction between Governance and Management?Hard

Q18An auditor is testing a control that requires 'Three-way matching' before a payment is authorized. Which three docume...Easy

Q19A company implements a 'Zero Trust' architecture. Which of the following principles is central to this approach?Medium

Q20An auditor is reviewing a SOC 2® report and notices the opinion is 'Qualified'. What does this indicate?Medium

Q21Which of the following is a primary responsibility of the 'Data Controller' under GDPR?Easy

Q22A company uses an 'Incremental' backup strategy. A full backup is performed on Sunday. Incremental backups are perfor...Medium

Q23Which of the following SQL commands is used to remove a table and all its data permanently from the database?Easy

Q24An auditor is assessing the 'Availability' criteria for a cloud service provider. The provider claims 99.9% uptime. W...Medium

Q25A company is subject to HIPAA. An employee loses a company laptop containing unencrypted ePHI (electronic Protected H...Hard

Q26Which of the following is a characteristic of a 'Symmetric' encryption algorithm?Easy

Q27An auditor observes that a company uses a 'Hot Site' for disaster recovery. What does this imply?Medium

Q28In a SOC 2® engagement, which Trust Services Criteria category is MANDATORY for every report?Easy

Q29A developer is writing a SQL query to combine customer data from the 'Sales' table and the 'Support' table. They want...Medium

Q30Which of the following is an example of a 'Preventive' control?Easy

Q31An auditor is reviewing a client's compliance with the NIST Privacy Framework. The client has a process to 'notify in...Hard

Q32A company uses a 'Phishing Simulation' to test employees. This is primarily a test of which security domain?Easy

Q33Which of the following describes a 'Logic Bomb'?Medium

Q34An auditor is reviewing the 'Change Management' process. They find that the 'Request for Change' (RFC) form does not ...Medium

Q35A service organization provides a cloud-based accounting platform. They want to assure their customers that the syste...Medium

Q36Which of the following is a key requirement of the HIPAA Security Rule but NOT the Privacy Rule?Hard

Q37An auditor is reviewing a firewall configuration. They see a rule at the bottom of the Access Control List (ACL) that...Medium

Q38Which of the following is a risk associated with using a 'Public Blockchain' for financial reporting?Hard

Q39A company wants to ensure that their web application can handle a sudden spike in traffic during Black Friday sales. ...Medium

Q40An auditor is testing the 'Logical Access' controls for an ERP system. They select a sample of new employees and veri...Medium

Q41Which of the following is a primary benefit of using a 'Data Lake' compared to a 'Data Warehouse'?Medium

Q42An organization discovers a vulnerability in their web server software. The vendor has released a patch, but the orga...Hard

Q43Which of the following statements accurately describes the 'Integrity' component of the CIA Triad?Easy

Q44A company is using the 'Inclusive Method' for a subservice organization in their SOC 2® report. What does this imply ...Hard

Q45Which of the following is a 'Corrective' control?Medium

Q46An auditor is reviewing a database schema. They notice that the 'SocialSecurityNumber' column is stored in cleartext....Easy

Q47What is the primary purpose of a 'Management Assertion' in a SOC engagement?Medium

Q48A company uses a biometric fingerprint scanner and a PIN code for server room access. What type of authentication is ...Easy

Q49Which CIS Control is typically prioritized as Control #1 because you cannot protect what you do not know you have?Medium

Q50An auditor is reviewing the 'Incident Response Plan'. The plan includes a step for 'Containment'. What is the primary...Easy

Q51A company uses a 'Cold Site' for disaster recovery. Which of the following is the primary disadvantage of this approach?Medium

Q52Which of the following attacks involves an attacker intercepting communication between two parties and relaying messa...Easy

Q53An auditor is reviewing the 'Segregation of Duties' (SoD) in the payroll process. Which two roles should be separated?Medium

Q54A company uses 'Asymmetric' encryption for secure email. If Alice wants to send a confidential email to Bob that only...Hard

Q55Which of the following is a 'Detective' control?Easy

Q56An auditor is evaluating the 'Completeness' of data transfer from a legacy system to a new ERP. Which technique is MO...Medium

Q57Under COBIT 2019, which component of the governance system describes the 'rules of the game'?Medium

Q58A company wants to implement a 'Least Privilege' model for its cloud storage buckets. What does this entail?Easy

Q59An auditor is reviewing a SOC 2® Type II report. The testing period covers January 1 to December 31. The auditor noti...Medium

Q60Which of the following is an example of 'SaaS' (Software as a Service)?Easy

Q61A company is designing a new data center. They install a 'Biometric Mantrap' at the entrance. What is the purpose of ...Medium

Q62An auditor is reviewing a SQL query: `SELECT * FROM Employees WHERE Salary > 100000;`. What is the risk of using `SEL...Medium

Q63Which of the following is a 'Type 1' SOC report?Medium

Q64A company is implementing a 'Data Loss Prevention' (DLP) solution. Which of the following is a primary function of DLP?Medium

Q65Which of the following is a 'Physical' security control?Easy

Q66An auditor is reviewing the 'Change Management' logs and notices a change labeled 'Emergency Fix' that was deployed w...Medium

Q67Which of the following is a characteristic of 'Ransomware'?Easy

Q68A company uses a 'VPN' (Virtual Private Network) for remote employees. What is the primary security function of the VPN?Easy

Q69In a relational database, what is a 'Foreign Key'?Medium

Q70An auditor is testing the 'Termination' process. They find that a terminated employee's Active Directory account was ...Easy

Q71Which of the following is a requirement of the 'NIST SP 800-53' framework?Medium

Q72A company uses 'Input Validation' on its web forms. Which attack does this primarily prevent?Medium

Q73An auditor is assessing 'Independence' for a SOC engagement. Which of the following would impair independence?Easy

Q74What is the difference between 'Authentication' and 'Authorization'?Easy

Q75A company uses 'Containerization' (e.g., Docker) for its applications. From an auditor's perspective, what is a key d...Hard

Q76An auditor is reviewing the 'System Description' in a SOC 2® report. Which of the following MUST be included?Medium

Q77Which of the following is a 'Social Engineering' technique?Medium

Q78A company uses 'Role-Based Access Control' (RBAC). How are permissions assigned?Easy

Q79An auditor is reviewing the 'Business Continuity Plan' (BCP). Which of the following is a key component that determin...Medium

Q80Which of the following is a 'Subsequent Event' in a SOC engagement?Medium

Q81A company uses 'Hashing' to store passwords. Why is this better than encryption?Medium

Q82An auditor is reviewing the 'System Boundaries' in a SOC 2® engagement. The client has excluded their 'Customer Suppo...Hard

CPA ISC Practice Exam 3

Difficulty breakdown

Topics covered

Sample questions

Ready to Practice the full exam?

All questions (82)